Feds Unite on Security Benchmarks

High-level tech officials team amid criticism of government cyber efforts.

A group of high-level IT officials in the federal government has begun collaborating on configuration benchmarks that government agencies could be required to use in future purchases of hardware and software.
The development of the benchmarks is at once an indication of the growing importance of security in Washington and of the governments intention to use its purchasing power as an agent of change inside the Beltway and in the vendor community.

"Yes, I believe the government is getting better at this," said Alan Paller, research director at The SANS Institute, based in Bethesda, Md., who has spoken with many of the federal CIOs involved in this effort. "This doesnt solve the entire problem, but it helps going forward. I believe a great deal of money was thrown away on reports that couldve been spent on solving the problem."

The move comes at a time of heavy criticism of the governments security efforts, much of it tied to last weeks release of an annual report card from the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census on the security of federal agencies networks.
The government received an overall grade of Dup from an F last yearfor the state of its security, as measured against a set of criteria laid out in FISMA (Federal Information Security Management Act), signed by President Bush last December. Several large agencies, including the Department of Homeland Security, Department of Justice and Department of State, received failing grades. But observers say the test is not an accurate reflection of the agencies security posture because the self-evaluation the agencies must perform can cost hundreds of thousands of dollars, depending on the size of the network. Many agencies had difficulty finding money in their budgets to complete the evaluation.
Despite cries of unfairness from some agencies that did not score well, Rep. Adam Putnam, R-Fla., who is the subcommittees chairman, intends to continue the scoring process in the coming year and is planning to hold an oversight hearing in early March, said Bob Dix, staff director for the subcommittee.
"People knew what the scoring criteria would be," Dix said. "It is disappointing to us that a couple of the agencies have gone backward."
One of the biggest problems at the agencies is the continued inability to provide complete and reliable inventories of IT assets, which is required under federal law, Dix said. Additionally, it appears that the leadership at some agencies is not as involved in the process as it is at others.
"At the Department of Labor, the secretary is engaged in this issue. Their performance is evidence of that," Dix said.
A part of FISMA is a requirement that each federal agency establish a set of benchmarks for system configurations and that it complies with those standards. The act does not specify what those standards should be. The evaluation for 2003 did not test agencies on these benchmarks, but next years will.
As a result, federal CIOs and other top IT officials have begun working together to develop such common configuration benchmarks. Those standards could eventually make their way to the private sector once theyre finalized.

Requirement for each agency to develop and adhere to system
configuration guidelines

Annual test of security policies and

procedures

Plan for continuity of operations

Require each agency to inventory major information systems

"This is good government. You need these benchmarks if you plan to buy software this way," said Roger Cressey, president of Good Harbor Consulting LLC, in Alexandria, Va., and former chief of staff of the Presidents Critical Infrastructure Protection Board. "Its not something where you place a call and snap your fingers, and the product is delivered securely. Its the right thing to do."
The standards could cover what services should be enabled or disabled by default, as well as more mundane items such as password length. This is not an entirely novel idea, however. Earlier this year, the Department of Energy announced a contract with Oracle Corp. in which the database vendor agreed to deliver its software in a secure configuration, as dictated by guidelines established by the Center for Internet Security. In addition, the National Institute of Standards and Technology has implementation guides and checklists available for various technologies.
But security experts and Washington insiders say this is an important step in the governments progression toward better security.
"Theyre not there yet, but the fact that theyre talking about alternatives like benchmarks is a good thing," said Ron Sable, vice president of the public sector at Guardent Inc., a managed security services company based in Waltham, Mass. "Theyre dealing with it, but it is the government. There are enormous challenges."
Chief among those challenges is the limited budgets the individual agencies must contend with. But perhaps an even thornier issue is executing a complete inventory of an agencys IT assets, especially in large organizations such as the Department of Defense or the DOJ, which have dozens of remote locations and thousands of personnel working in the field.
Next page: Improving end-to-end security